Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supplying only bound_vpc_id to ec2-auth doesn't fulfill binding requirements #2599

Closed
mattupstate opened this issue Apr 17, 2017 · 5 comments
Closed

Supplying only bound_vpc_id to ec2-auth doesn't fulfill binding requirements #2599

mattupstate opened this issue Apr 17, 2017 · 5 comments

Comments

@mattupstate
Copy link

mattupstate commented Apr 17, 2017
edited
Loading

Documentation suggests you need only one bound_* parameter to fulfill the API request, but apparently bound_vpc_id isn't enough, as I still receive a 400 response:

curl -X "X-Vault-Token: ${VAULT_TOKEN}" https://localhost:8200/v1/auth/aws/ec2/role/default \
    -d @- <<EOF
{
	"bound_vpc_id": "${MY_VPC_ID}",
	"allow_instance_migration": true,
	"policies": "ec2-default"
}
EOF
{"errors":["at least be one bound parameter should be specified on the role"]}

This is with Vault 0.7.0.
@vishalnayak vishalnayak mentioned this issue Apr 17, 2017
Merged
@vishalnayak
Copy link
Member

Note that changes in #2600 will be overridden by #2441 eventually.

@atheiman
Copy link
Contributor

atheiman commented Jan 17, 2019
edited
Loading

I just ran into this in vault 1.0.1 - @vishalnayak I think this issue should be reopened?

I had several (all?) available bound_ arguments set and still got this error:

 module.kitchen_terraform_app.module.app.vault_aws_auth_backend_role.aws: Creating...
   allow_instance_migration:          "" => "false"
   auth_type:                         "" => "iam"
   backend:                           "" => "aws-kitchen-terraform"
   bound_account_ids.#:               "" => "1"
   bound_account_ids.0:               "" => "123456789012"
   bound_ami_ids.#:                   "" => "2"
   bound_ami_ids.0:                   "" => "ami-1234"
   bound_ami_ids.1:                   "" => "ami-5678"
   bound_iam_instance_profile_arns.#: "" => "1"
   bound_iam_instance_profile_arns.0: "" => "arn:aws:iam::123456789012:instance-profile/MyProfile"
   bound_iam_role_arns.#:             "" => "1"
   bound_iam_role_arns.0:             "" => "arn:aws:iam::123456789012:role/MyRole"
   bound_regions.#:                   "" => "1"
   bound_regions.0:                   "" => "us-east-1"
   bound_subnet_ids.#:                "" => "2"
   bound_subnet_ids.0:                "" => "subnet-1234"
   bound_subnet_ids.1:                "" => "subnet-5678"
   bound_vpc_ids.#:                   "" => "2"
   bound_vpc_ids.0:                   "" => "vpc-123456"
   bound_vpc_ids.1:                   "" => "vpc-789012"
   disallow_reauthentication:         "" => "false"
   policies.#:                        "" => "1"
   policies.0:                        "" => "kitchen-terraform/test-app"
   resolve_aws_unique_ids:            "" => "true"
   role:                              "" => "test-app"
 
 Error: Error applying plan:
 
 1 error(s) occurred:
 
 * module.kitchen_terraform_app.module.app.vault_aws_auth_backend_role.aws: 1 error(s) occurred:
 
 * vault_aws_auth_backend_role.aws: error writing AWS auth backend role "auth/aws-kitchen-terraform/role/test-app": Error making API request.
 
 URL: PUT http://localhost:8200/v1/auth/aws-kitchen-terraform/role/test-app
 Code: 400. Errors:
 
 * at least be one bound parameter should be specified on the role

Edit

This is an issue with how I was using the terraform resource, I was missing specifying auth_type = "ec2". With that set I have this working

       module.kitchen_terraform_app.module.app.vault_aws_auth_backend_role.aws: Creating...
         allow_instance_migration:  "" => "false"
         auth_type:                 "" => "ec2"
         backend:                   "" => "aws-kitchen-terraform"
         bound_vpc_ids.#:           "" => "2"
         bound_vpc_ids.0:           "" => "vpc-123456"
         bound_vpc_ids.1:           "" => "vpc-789012"
         disallow_reauthentication: "" => "false"
         policies.#:                "" => "1"
         policies.0:                "" => "kitchen-terraform/test-app"
         resolve_aws_unique_ids:    "" => "true"
         role:                      "" => "test-app"

       module.kitchen_terraform_app.module.app.vault_aws_auth_backend_role.aws: Creation complete after 0s (ID: auth/aws-kitchen-terraform/role/test-app)

@jefferai
Copy link
Member

Seems like a problem with your client then.

@atheiman
Copy link
Contributor

I was using the vault terraform provider: https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html

But I found the issue with how I was using the tf resource and have updated my comment to reflect that

@joelthompson
Copy link
Contributor

Ah, yes, that would do it -- Vault ignores bindings that don't apply to the auth_type when checking to see if there is at least one binding on the role (to prevent you from accidentally allowing everyone to authenticate to the role).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jefferai @mattupstate @joelthompson @vishalnayak @atheiman